Professional Documents
Culture Documents
1 CISSP - Common - Body - of - Knowledge - Review - in PDF
1 CISSP - Common - Body - of - Knowledge - Review - in PDF
Review
Information Security
Governance & Risk
Management Domain
Version: 5.10
CISSP Common Body of Knowledge Review by Alfred Ouyang is licensed under the Creative Commons
Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://
creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900,
Mountain View, California, 94041, USA.
Learning Objectives
Breadth of Knowledge
InfoSec & Software
Risk Telecom Dev. Access
Management
Security & Cryptography Security BCP & DRP Control
Netowrk
Architecture Legal,
& System Ops Investigation,
Physical &
Design Security Security
Ethics -6-
Information Security Concept
Security Objectives
• Confidentiality
– “Preserving authorized restriction on information access and
disclosure, including means for protecting personal privacy
and proprietary information.” (44 USC Sec. 3542)
• Integrity
– “Guarding against improper information modification or
destruction, and includes ensuring information non-
repudiation and authenticity.” (44 USC Sec. 3542)
• Availability
– “Ensuring timely and reliable access and use of
information.” (44 USC Sec. 3542)
-7-
Information Security Concept
Law, Regulations, and Policies:
Security Implementation Principles ·∙
FISMA, SOX, GBL, National Security Act,
USA PATRIOT ACT, etc.
·∙
OMB A-130, A-11, etc.
• Confidentiality, Integrity, Availability ·∙
E.O. 13292, 12968, etc.
·∙
DoD 5200.1-R, etc.
• Need-to-know Security Objectives:
– Users should only have access to ·∙
Confidentiality
·∙
Integrity
information (or systems) that enable ·∙
Availability
them to perform their assigned job
functions. Standards and Best Practices
·∙
NIST FIPS, SP 800-x, etc.
• Least privilege ·∙
COBIT, ITIL, Common Criteria
·∙
ISO/IEC 27001, 21827, etc.
– Users should only have sufficient ·∙
DoDI 8500.2, 8510.01
access privilege that allow them to Security Implementation
perform their assigned work. Principles:
·∙
Confidentiality, Integrity,
• Separation of duties Availability
·∙
Need-to-Know
– No person should be responsible for ·∙
Least Privilege
·∙
Separation of Duties
completing a task involving sensitive,
valuable or critical information from the Benchmarks and Guidelines:
beginning to end. ·∙
NIST National Checklist, DISA STIGs, CIS
Benchmarks, etc.
– No single person should be responsible
for approving his/her own work.
-8-
Information Security Concept
-9-
Information Security Concept
Indirectly affects
• Risk. The likelihood of a
threat agent exploits the Risk
Security Controls
“Security controls are the management, operational,
and technical safeguards or countermeasures
employed within an organizational information system
to protect the confidentiality, integrity, and availability
of the system and its information.”
– What security controls are needed to adequately mitigate the
risk incurred by the use of information and information
systems in the execution of organizational missions and
business functions?
– Have the selected controls or is there a realistic plan for their
implementation?
– What is the desired or required level of assurance (i.e.,
grounds for confidence) that the selected security controls,
as implemented are effective in their application?
Reference: NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems.
- 11 -
Information Security Concept
- 13 -
Information Security Concept
- 14 -
Information Security Concept
- 15 -
Information Security Concept
• Functional requirements
Assurance
Example:
Functional
Requirements
Requirements • VLAN technology shall be created
For establishing
For defining security
confidence that the to partition the network into multiple
behavior of the IT
product or system.
security function will mission-specific security domains.
perform as intended.
• The integrity of the internetworking
architecture shall be preserved by
the access control list (ACL).
- 16 -
Information Security Concept
Evaluation
EAL Assigned
Reference:
- Draft NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, February 2013.
- ISO/IEC 15408, Common Criteria Evaluation & Validation Scheme (CCEVS), Version 2.3, August 2005.
- 17 -
Information Security Concept
• Due Diligence
– Continual actions that an organization are doing to protect
and minimize risk to its tangible and intangible assets.
- 19 -
Information Security Concepts
Information Assurance
“Defense-In-Depth” Strategy
People People
Executing
Operations Operations
Supported by
Technology
Technology
References
• NSA IA Solution Directions, Information Assurance Technical Framework, Release 3.1
• ISO/IEC 27002:2005, Code of Practice for Information Security Management
- 21 -
Information Security Concept
- 23 -
Answers:
• What are the three security objectives?
– Confidentiality
– Integrity
– Availability
- 24 -
Questions:
• What are the eight security “best practices”?
–
–
–
–
–
–
–
–
Typical Outputs:
– Policies, Standards, and Procedures
– System Security Plan (SSP) or System Security Authorization
Agreement (SSAA)
– ST&E Report, Risk Statement, and POA&M for Risk Mitigation
- 28 -
Information Security Management
- 29 -
Learning Objectives
Executive Orders
Organizational
DoD Directives
Policies
Joint Doctrines
Process:
Guidelines:
Standards: DITSCAP / Procedure:
Standards Process Procedure Guidelines DISA STIGs
DoD Regulations DIACAP DoD Manuals
NSA SNAC SCGs
SIPRNet CAP
- 31 -
Information Security Governance
Policies
Policies:
• Explain laws, regulations, business/mission needs, and
management expectations (goals & objectives).
• Identify roles and delineate responsibilities.
• Federal (/Civil)
Implementation
Policies
• Military
– DoD Directives, Instructions, Manuals, etc.
• Intelligence
– Director, Central Intelligence Directives (DCID).
- 32 -
Information Security Governance
- 33 -
Information Security Governance
Standards
Standards:
• Mandatory activities, actions, and rules for the
execution of management (or administrative)
policies
Examples:
• Federal (/ Civil)
– Federal Information Processing Standards (FIPS)
• Military Law, Regulations
• Commercial (/ Industry)
Standards Process Procedure Guidelines
Standards
• DoD 5200.28-STD Trusted
Computer System
Evaluation Criteria (TCSEC)
Orange Book Canadian Criteria
(TCSEC) 1985 (CTCPEC) 1993
– Evaluates Confidentiality.
ISO 15408-1999
Common Criteria • Information Technology
UK Confidence Federal Criteria (CC)
Levels 1989 Draft 1993 V1.0 1996
V2.0 1998
V2.1 1999
Security Evaluation Criteria
(ITSEC)
German ITSEC – Evaluates Confidentiality,
Criteria 1991
Integrity and Availability.
French
Criteria • Common Criteria (CC)
– Provided a common
structure and language.
– It’s an International standard
(ISO 15408).
- 35 -
Information Security Governance
• ISO/IEC 27002:2005 is a
“Code of practice” for
information security
management
Reference:
ISO/IEC 27001:2005, Information Security Management Systems - Requirements, 2005.
ISO/IEC 27002:2005, Code of Practice for Information Security Management, 2005.
- 36 -
Information Security Governance
- 37 -
Information Security Governance
Guidelines
Guidelines:
• Frameworks or recommendations that facilitate
implementation of policies, standards, processes,
and procedures.
Examples:
• Federal (/ Civil)
– NIST Special Publications (NIST SP 800 series).
• Military
– NSA-IATF, NSA-IAM, NSA-IEM. Law, Regulations
• Commercial Functional
Implementation
Policies
- 38 -
Question:
• What are the four types of documents that provide
governance to IT security?
–
–
–
–
- 39 -
Answer:
• What are the four types of documents that provide
governance to IT security?
– Policy
– Standard
– Procedure (or Manual)
– Guideline
- 40 -
Learning Objectives
- 42 -
Information Classification
- 44 -
Questions:
• What is the importance of information classification?
–
- 45 -
Answers:
• What is the importance of information classification?
– Explains the sensitivity of the information, and the level of
protection required to meet the security objectives
- 46 -
Notes on NIST SP 800-59
The information classification concept is also
implemented for information systems that store,
process, and distribute national security information…
• NIST SP 800-59, Guideline for Identifying an
Information System as a National Security System,
August 2003.
– It’s a guideline for identification only,
– It does not discuss how information should be managed, and
– Agencies have to establish their own policies
- 47 -
Learning Objectives
- 49 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Requirements Requirements
Design Design
Implementation Implementation
Verification Verification
Maintenance Maintenance
- 50 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: http://csse.usc.edu/people/barry.html - 51 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
- http://www.cs.bgsu.edu/maner/domains/RAD.htm
design process, coding, test & integration, technical and
project reviews etc.
Reference:
- 52 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: B. Boehm, J.A. Lane, Using the Incremental Commitment Model to Integrate System Acquisition,
Systems Engineering, and Software Engineering, CrossTalk, October 2007.
- 53 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Requirements
Analysis
Detailed
Architecture
Design
Design
Coding
and
Detailed
Debugging
Design Subsystem
Coding
and
Testing
Detailed
Debugging
Design Subsystem
Coding
and
Testing
Debugging
Subsystem
Testing
System
Testing
Deployment
Reference: Rapid Development: Taming Wild Software Schedules, Steve McConnell,
Microsoft Press, 1996
- 54 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference:
* J. Gorman, G. Kim, Security is Dead. Long Live Rugged DevOps: IT at Ludicrous Speed, RSA Conference 2012
(http://www.slideshare.net/realgenekim/security-is-dead-long-live-rugged-devops-it-at-ludicrous-speed)
** Jon Jenkins, Velocity Culture, O’Reilly Velocity 2011, (http://www.youtube.com/watch?v=dxk8b9rSKOo)
- 56 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
INCOSE SE
Handbook
(2000 - 2010)
MIL-STD 499 MIL-STD 499A MIL-STD 499B
(1969) (1974) (1994)
ISO/IEC 15288
(2002 - 2008)
Software Engineering
ISO/IEC 12207 ISO/IEC 12207
(1995) (1996 - 2008)
DOD-STD 2167A
(1988)
DOD-STD 7935A
(1988)
- 58 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Software
Process Software
Acceptance
Implementation Installation
Support
Project
System
Software Software
Requirements Qualification
Analysis Testing
Software
Software
Architectural
Integration
Design
Software
- 60 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Disposal Process
* Note: ISO/IEC 15288 is identical to IEEE Std 15288
- 61 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Configuration
Integration Process
Life Cycle Model Management Process Software Construction Software Validation
Management Process Process Process
Information
Verification Process
Infrastructure Management Process Software Integration Software Review
Management Process Process Process
Validation Process
Human Resource Software Problem
Validation Process
Management Process Resolution Process
Operation Process
Quality Management
Process Software Reuse Processes
Maintenance Process Domain Engineering Reuse Program
Process Management Process
Fabrication
Assembly,
System Preliminary Detailed
Integration
Definition Design Design
& Test
(FAIT)
- 63 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
Reference: NIST SP 800-64, Rev 2,Security Considerations in the Information System Development Life Cycle.
- 64 -
System Life Cycle (SLC) and System Development Life Cycle (SDLC)
PHASE 6:
PHASE 2: ASSESS EFFECTIVENESS
– Based on security architecture, design DEFINE
SYSTEM
REQUIREMENTS
security functions and features for the PHASE 3:
system. DESIGN
SYSTEM
ARCHITECTURE
67
It starts at the beginning of a SDLC…
DoD
IEEE 1220 Acquisition Key System Engineering Tasks Key Security Engineering Tasks*
SDLC
User Needs & Task 1: Discover Mission/Business Needs Task 1: Discover Information Protection Needs
Technology • Understand customer’s mission/business goals (i.e., initial • Understand customer’s information protection needs (i.e.,
Opportunities capability, project risk assessment) infosec. risk assessment)
• Understand operating environment (i.e., sensitivity of
• Understand system concept of operations (CONOPS)
information assets, mode of operations)
Concept • Create high-level entity-data relations model (i.e., system
Stage Concept • Create information management model (IMM)
context diagram)
Refinement
• Define engineering project strategy and integrate into the • Define information protection policy (IPP) and integrate into
overall project strategy the project strategy
• Create system engineering management plan (SEMP) • Create system security plan (SSP) and integrate into SEMP
Milestone A Task 6: Assess project performance in meeting mission/business needs
- 72 -
Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
–
- 73 -
Questions:
• What classic system development life cycle (SDLC)
model allows system engineers go back to the
previous step?
– Modified Waterfall
- 74 -
Learning Objectives
What is a Risk?
• Risk is the relationship between the likelihood of a
loss and the potential impact to the business (/
mission).
- 76 -
Risk Management
• Vulnerability. A weakness or
flaw that may provide an Vulnerability
Leads to
Indirectly affects
• Risk. The likelihood of a threat Reduces/
Risk
vulnerability. Asset
Can damage
» VZ (Verizon)
» USSS (United States Secret Service)
Reference: 2011 Data Breach Investigations Report, Verizon, January 2012 (http://www.verizonbusiness.com/
resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf) - 78 -
Information Security Management
Risk Management
Risk Mgmnt.
Risk Identification Risk Prioritization Risk Monitoring
Planning
Reference: Software Risk Management, B. Boehm, IEEE Computer Society Press , 1989.
- 79 -
Information Security Management
Fundamental revisited
• Risk assessment activities: risk identification, risk
analysis, and risk prioritization
• Risk control activities: risk management planning, risk
resolution, and risk monitoring
Risk Management
Risk Mgmnt.
Risk Identification Risk Prioritization Risk Monitoring
Planning
Reference: Software Risk Management, B. Boehm, IEEE Computer Society Press , 1989.
- 83 -
Risk Management
- NIST SP 800-30, Rev. 1, Guide for Conducting Risk Assessments, Sept. 2011
·∙
Software
CIs Preparing
for
Risk
·∙
System
Functions
·∙
System
I/Fs ·∙
System
&
Data
Criticality
·∙
Data
&
Info.
Assessment ·∙
System
&
Data
Sensitivity
·∙
People (System
Characterization) ·∙
Information
Management
·∙
Mission Model
(IMM)
·∙
Threat-‐source
motivation
·∙
Threat
capacity Determine
Likelihood
·∙
Likelihood
Rating
·∙
Nature
of
vulnerability of
Occurrence
·∙
Current
controls
Reference:
·∙
Risks
&
Associated
Risk
·∙
Likelihood
of
threat
Levels
exploitation
·∙
Information
Protection
·∙
Magnitude
of
impact Determine
Risk Plan
(IPP)
·∙
Adequacy
of
planned
or
·∙
Plan
of
Actions
&
current
controls
Milestones
(POA&M)
- 84 -
Risk Management
- 86 -
Risk Management
Unauthorized
- 87 -
Risk Management
- 88 -
Questions
• What are the two types of risk analysis methods?
–
–
- 89 -
Answers
• What are the two types of risk analysis methods?
– Qualitative
– Quantitative
- 90 -
Learning Objectives
Concept
• Certification is a disciplined approach to evaluate
level of conformance to the prescribed security
requirements and the implemented security controls
to a security enclave.
- 93 -
Certification & Accreditation (C&A)
- 94 -
Information Security Management
- 96 -
Certification & Accreditation (C&A)
- 97 -
Certification & Accreditation (C&A)
DIACAP
INFOSEC Enhancements
INFOSEC Enhancements
ASSESSMENTS
(Level I)
EVALUATIONS
(Level II)
RED TEAM
(Level III)
- 100 -
Security Assessment
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
40,000
20,000
0
Reference: FY’05 FY’06 FY’07 FY’08 FY’09 FY’10 FY’11
* US-CERT.
Page 101
Security Asssessment
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act
Observe
Orient
Decide
Act Reference:
• T. Sanger, Keynote Address, 7th Annual IT Security Automation
Agency’s defensive operation Conference, Oct. 31, 2011.
• T. Keanini, Boyd’s OODA Loop and Continuous Monitoring, 7th
Agency’s security automation-enabled cyber operations Annual IT Security Automation Conference, Oct. 31, 2011.
Page 102
Questions:
• When should risk assessment be performed in a
typical system life cycle?
–
- 103 -
Answers:
• When should risk assessment be performed in a
typical system life cycle?
– Risk management is a life cycle activity. Risk assessment
should be performed periodically throughout the system life
cycle
- 104 -
Questions:
• In qualitative risk assessment method, what are the
two variables for determining risks?
–
- 105 -
Answers:
• In qualitative risk assessment method, what are the
two variables for determining risks?
– Likelihood and Impact.
- 106 -
Learning Objectives
Check-in Baseline
Change
Reject
Report Change
Status to CCB
Close CCR
- 108 -
Configuration Management
- 109 -
Configuration Management
Deviation
Security configuration
Security configuration
benchmark for SWCI-3
benchmark for SWCI-2
Security configuration
Security configuration
Security configuration
Deviation
benchmark for SWCI-1
An IT asset
Page 110
Configuration Management
Sub-agency security
posture reporting data
Organization
Enterprise Sec. Mgmt
& Oversight
Organizational-Level Context and
Perspectives
Organizational IT assets
References:
* The Global State of Information Security 2008, CSO Online (http://www.csoonline.com/article/print/454939)
- 114 -
Personnel Security
References: Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model, CERT
Program, Software Engineering Institute and CyLab at Carnegie Mellon University, June 2009.
- 115 -
Learning Objectives
121
Project Management
122
Project Management
Activity
4 x FTE
Activity
module, software code, etc.) 3 x FTE
1 x FTE
Time
123
Project Management
124
Project Management
Reference:
• The Principle of Scientific Management, by Frederick Winslow Taylor, 1911.
• http://en.wikipedia.org/wiki/Critical_path_method
• http://en.wikipedia.org/wiki/PERT 125
Project Management
126
Project Management
127
Project Management
t = 7 wk
1.3 t = 5 wk
C G
E t = 2 wk
1.0 A 1.1 B 1.2 F 1.5
t = 3 wk
t = 3 wk t = 4 wk D H
t = 5 wk
t = 8 wk 1.4
128
Management Methodologies
129
Management Methodologies
130
Some serious facts about the current state of federal IT
projects
• Government Accountability Office (GAO) reported:
– “… for fiscal year 2006, nearly 25% of the funds (IT budget)
requested, totaling about $15 billion, were considered by
OMB to be at risk.”
– “In the case of risk assessment, supporting documentation
for about 75% of the investments did not address OMB’s
required risk categories.”
• Government Computer News (GCN) reported a
survey from 104 Federal IT executives:
– Reasons for program over-run are…
• 65+%: Poor program management.
• 54%: Scope creep.
– Key to reduce number of failed agency IT projects is…
• Training.
Resource:
• GAO-06-250 Information Technology: Agencies Need to Improve the Accuracy and Reliability of Investment Information.
• http://www.gcn.com/online/vol1_no1/42733-1.html 131
Project Management
Reference:
• http://www.acq.osd.mil/pm/historical/ansi/ansi_announce.html
• http://www.ndia.org/Content/ContentGroups/Divisions1/Procurement/
NDIA_PMSC_EVMS_IntentGuide_Jan2006U1.pdf 132
Project Management
133
Project Management
134
Project Management
= CV (-$50k)
Budget at
Completion
$450k ACWP (BAC)
CV
$400k BCWP
BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89
t0 Time
137
Project Management
CV
Question: $400k BCWP
Answer: t0 Time
138
Project Management
$500k BCWS
= SV (- $100k) Budget at
Completion
(BAC)
SV
$400k BCWP
BCWP = $400k
BCWS = $500k
SV = - $100k
SPI = .80
t0 Time
139
Project Management
= SPI (.80)
$500k BCWS
Budget at
Completion
(BAC)
SV
Question:
If SPI < 1 then how $400k BCWP
140
Project Management
Project Recovery
$$
Project
Recovery Budget at
Completion
$450k ACWP (BAC)
$400k CV BCWP
BCWP = $400k
ACWP = $450k
CV = - $50k
Actual Costs CPI = .89
t0 Time
141
Project Management
Project Recovery
• Use CPM to find task dependencies.
• Use PERT to locate effect(s) on schedule.
• Use Cause-Effect (Fishbone) to locate problem.
Major cause category Major cause category
Secondary cause
142
Validation Time… J
- 143 -
Exercise #1: Build Security In
• A civilian agency is planning an acquisition of an
information system…
– Please identify key security engineering tasks required.
- 144 -
Exercise #2: Risk Management Process
• A civilian agency is planning an acquisition of an
information system that will assess the security
configuration settings of IT assets in a Secret-System
High operating enclave.
– Please identify the attributes required to enable you to
determine the information protection needs.
- 145 -